php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69719 Incorrect handling of paths with NULs, related to bug 69353
Submitted: 2015-05-28 12:00 UTC Modified: 2016-02-11 12:48 UTC
From: thoger at redhat dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.6.9 OS:
Private report: No CVE-ID: 2015-4598
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: thoger at redhat dot com
New email:
PHP Version: OS:

 

 [2015-05-28 12:00 UTC] thoger at redhat dot com
Description:
------------
Fix for bug 69353 addresses multiple issues of PHP APIs accepting paths with NUL character and passing truncated paths to underlying libraries.

https://bugs.php.net/bug.php?id=69353
http://git.php.net/?p=php-src.git;a=commitdiff;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80

Reviewing the changes, I noticed following inconsistencies:

* DOMDocument's load functions were fixed, but not save:

$ ./sapi/cli/php -r '$d = new DOMDocument(); $d->loadHTMLFile("/etc/issue"); @unlink("output"); $d->save("output\0extra"); var_dump(file_exists("output"));'
bool(true)

$ ./sapi/cli/php -r '$d = new DOMDocument(); $d->loadHTMLFile("/etc/issue"); @unlink("output"); $d->saveHTMLFile("output\0extra"); var_dump(file_exists("output"));'
bool(true)

* GD imagepsencodefont() was fixed. That has to be called after imagepsloadfont() and that still passes 's' format to zend_parse_parameters().  I've not tested this one as I don't have build with Type1 font support available.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-05-28 18:11 UTC] cmb@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2015-06-10 04:40 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2015-06-10 04:40 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2015-06-10 07:42 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8fc52d77d6f66c438c98d536e2309b5fd13f90de
Log: Fix #69719 - more checks for nulls in paths
 [2015-06-10 08:50 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e
Log: Fix #69719 - more checks for nulls in paths
 [2015-06-10 09:15 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=58e590aac6839ace470650c58bf418e5fa637eb3
Log: Fix #69719 - more checks for nulls in paths
 [2016-02-11 12:48 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2015-4598
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 07 21:01:27 2024 UTC